diff options
author | Robin Watts <robin.watts@artifex.com> | 2014-01-08 19:36:13 +0000 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2014-01-08 19:39:06 +0000 |
commit | cc5e1c6444523ae4d7dca0feea40a41be1cbb7b2 (patch) | |
tree | 8a70bd9b5b52901a998e8a5130263faed3fd9719 /source | |
parent | 32f9ae732fc4f33ef2644a09b05d8ad35bc140ca (diff) | |
download | mupdf-cc5e1c6444523ae4d7dca0feea40a41be1cbb7b2.tar.xz |
fuzzing fix for null colorspace derefence.
Bad annotation appearance streams can cause font_recs to have invalid
values in. Avoid this partly by hardening the code against duff values,
and partly by setting sane defaults before the parsing.
This can be seen in:
33bfbe117bfef7fafc3f927acf50a2e7_signal_sigsegv_81dd96_6257_5205.pdf
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the example files.
Diffstat (limited to 'source')
-rw-r--r-- | source/pdf/pdf-appearance.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/source/pdf/pdf-appearance.c b/source/pdf/pdf-appearance.c index c5c16ba6..e57a3202 100644 --- a/source/pdf/pdf-appearance.c +++ b/source/pdf/pdf-appearance.c @@ -1811,6 +1811,10 @@ void pdf_update_free_text_annot_appearance(pdf_document *doc, pdf_annot *annot) memset(&font_rec, 0, sizeof(font_rec)); + /* Set some sane defaults in case the parsing of the font_rec fails */ + font_rec.da_rec.col_size = 1; /* Default to greyscale */ + font_rec.da_rec.font_size = 12; /* Default to 12 point */ + fz_var(dlist); fz_var(dev); fz_var(text); @@ -1826,7 +1830,7 @@ void pdf_update_free_text_annot_appearance(pdf_document *doc, pdf_annot *annot) switch (font_rec.da_rec.col_size) { - case 1: cs = fz_device_gray(doc->ctx); break; + default: cs = fz_device_gray(doc->ctx); break; case 3: cs = fz_device_rgb(doc->ctx); break; case 4: cs = fz_device_cmyk(doc->ctx); break; } |